1

When I sign commits or tags with my ssh key (git commit or git tag -s), git keeps asking for the passphrase of that key. However, I do not want to enter the passphrase for every commit.

I use two different keys for authentication and for signing. Both keys are added to the ssh-agent and I do not have to enter the passphrase for the authentication key. Therefore, the ssh-agent seems to work.

This is my git config:

[user]
    signingkey = C:/Users/<username>/.ssh/id_ed25519_github_signing.pub
[core]
    sshCommand = C:/Windows/System32/OpenSSH/ssh.exe
[gpg]
    format = ssh
[commit]
    gpgSign = true
[tag]
    gpgSign = true

This is my ssh config, which only contains a config for the authentication key:

Host *
    IdentitiesOnly yes

Host github.com
    IdentityFile C:/Users/<username>/.ssh/id_ed25519_github

This is the ssh-add -L output:

ssh-ed25519 <authentication pub key> <username>@mail.com
ssh-ed25519 <signing pub key> <username>@mail.com

I already added the key to the ssh-agent and expected that I do not have to enter the passphrase anymore.

I also tried to use the authentication key for signing commits and then I also have to enter the passphrase for that key.

Could it be that git uses "its own" openssh for signing commits instead of window's openssh, even though I configured the ssh command?

Fabian
  • 547
  • 1
  • 4
  • 17
  • https://stackoverflow.com/a/10166916/7976758 "*Signing each commit is totally stupid. It just means that you automate it, and you make the signature worth less. It also doesn't add any real value, since the way the git DAG-chain of SHA1's work, you only ever need one signature to make all the commits reachable from that one be effectively covered by that one. So signing each commit is simply missing the point.*" Linus Torvalds. https://softwareengineering.stackexchange.com/a/212216 – phd Apr 05 '23 at 16:42
  • One of the comments: "I feel like Linus is kind of missing the point. He seems to have an entirely different use case for signed commits in mind than the OP in that thread. (Verifying the integrity of the entire project, vs verifying the authorship of a single commit.)" So I with the signature, I want to say that that commit is from me and not from someone else. Why is that a bad thing? It is not that I want to verify the whole project, which would be the case for a signed tag, in my opinion. Can you clarify that? – Fabian Apr 13 '23 at 11:31
  • Signing commits is not bad. Automating passphrase is bad. Enter passphrase on every signing. When you're tired stop signing every commit, sign tags. – phd Apr 13 '23 at 11:36

0 Answers0